Skip to main content

OpenID Connect client for CAERP

Project description

Pyramid Oidc client library for caerp

python setup.py install

Add a client in your OpenId Authentication (e.g: Keycloak)

To configure your open id connect client in a SSO server like Keycloak.

Host : https://caerp.mycae.coop

Important Create a custom realm (don't use the master realm, you'll face serious security problems : all users would have admin rights on Keycloak)

Add a client

For security reasons, always use HTTPS protocol in URLs. Certificates must be provided by well known authorities.

The REQUESTS_CA_BUNDLE environment variable may be used to specify your custom trusted certificates.

Retrieve the client secret

In the "Credentials" section of the keycloak client view, retrieve the client's secret (you need it to configure caerp)

Configure your client : caerp

In your caerp application's ini file

pyramid.includes = ...
                   caerp_oidc_client.models

Later in the same ini file

caerp.authentification_module=caerp_oidc_client

oidc.client_secret=<Secret token from the OIDC server>
oidc.client_id=caerp_client_id
oidc.scope=openid roles
oidc.auth_endpoint_url=<Keycloak auth endpoint url>
oidc.token_endpoint_url=<Keycloak id token endpoint url>
oidc.logout_endpoint_url=<Keycloak logout endpoint url>

JWKS Token validation

Due to backward compatibility, by default, caerp_oidc_client doesn't validate the JWT token using the JWKS encryption data.

JWKS validation is highly recommended and is mandatory for obvious security reasons when the JWT token is transmitted by a third_party (for example frontend or api gateway).

To configure JWKS Token validation, add the following lines :

oidc.jwks_service=caerp_oidc_client.services.JWKSService
oidc.jwks_endpoint_url=<Keycloak jwks endpoint url>
oidc.token_signature_algorithms=<use one of HS256 HS384 HS512 RS256 RS384 RS512>

Keycloak's url are in the form

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/auth

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/token

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/logout

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/certs

Some advices for security

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

caerp_oidc_client-2026.0.2.tar.gz (22.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

caerp_oidc_client-2026.0.2-py3-none-any.whl (21.5 kB view details)

Uploaded Python 3

File details

Details for the file caerp_oidc_client-2026.0.2.tar.gz.

File metadata

  • Download URL: caerp_oidc_client-2026.0.2.tar.gz
  • Upload date:
  • Size: 22.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for caerp_oidc_client-2026.0.2.tar.gz
Algorithm Hash digest
SHA256 c627f30ecafda87e2a7c911e47bfc727df400ec10996d9639d0d7cf50ef0d4dd
MD5 3dbda4bf05c006608e39415d468fc4bd
BLAKE2b-256 ac5adfdb1288816f76085b174a1cdf4fc396851084506cff61fe6d7dc7821c51

See more details on using hashes here.

File details

Details for the file caerp_oidc_client-2026.0.2-py3-none-any.whl.

File metadata

File hashes

Hashes for caerp_oidc_client-2026.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 00c5a547b5d4135dd3c89bf7f3d5cf86643f18ba305ecb1a10fa401ecdf6774d
MD5 49d7ec6293f00fe2e10b1c5fbb05bfcd
BLAKE2b-256 8a86a6a5a875ef728de3b99350652b9dad8917b1dbee31093fe56c20e37c6d3d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page